CI: Use noble image for QA tests

.github/workflows/auto-updates.yaml

@@ -12,29 +12,26 @@ permissions:
   contents: write
 
 # Jobs in this action must not run concurrently, as they modify the repository.
-# When adding more jobs, make sure to use the "needs:" atribute to make sure they run sequentially.
+# When adding more jobs, make sure to use the "needs:" attribute to make sure they run sequentially.
 jobs:
   update-rust-packaging:
     name: Update packaging related Rust files
-    runs-on: ubuntu-latest
-    # Right now, ubuntu 22.04 does not have the dh-cargo-vendored-sources script that is needed to
-    # run this job, so we need to run it inside a rolling container to get the latest version possible.
-    # This should be updated as soon as the dh-cargo version with the mentioned script gets ported to
-    # 22.04 or ubuntu-latest changes to a more recent version.
-    container:
-      image: ubuntu:rolling
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     steps:
       - name: Install dependencies
+        env:
+          DEBIAN_FRONTEND: noninteractive
         run: |
-          DEBIAN_FRONTEND=noninteractive apt update
-          DEBIAN_FRONTEND=noninteractive apt install -y cargo dh-cargo git jq
+          sudo apt update
+          sudo apt install cargo dh-cargo git jq
       - uses: actions/checkout@v4
         with:
           ref: main
       - name: Vendor the dependencies
         run: |
           cargo vendor vendor_rust/
       - name: Update XS-Vendored-Sources-Rust
+        shell: bash
         run: |
           set -eu
 
@@ -48,12 +45,6 @@ jobs:
           sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control
 
           echo "modified=true" >> $GITHUB_ENV
-        shell: bash
-      # Since we run this job in a container, we need to manually add the safe directory due to some
-      # issues between actions/checkout and actions/runner, which seem to be triggered by multiple
-      # causes (e.g. https://github.com/actions/runner-images/issues/6775, https://github.com/actions/checkout/issues/1048#issuecomment-1356485556).
-      - name: work around permission issue with git vulnerability (we are local here). TO REMOVE
-        run: git config --global --add safe.directory "$PWD"
       - name: Create Pull Request
         if: ${{ env.modified == 'true' }}
         uses: peter-evans/create-pull-request@v7

.github/workflows/qa.yaml

@@ -30,7 +30,7 @@ env:
 jobs:
   go-sanity:
     name: "Go: Code sanity"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     steps:
       - name: Install dependencies
         run: |
@@ -67,7 +67,7 @@ jobs:
 
   rust-sanity:
     name: "Rust: Code sanity"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     steps:
       - name: Install dependencies
         run: |
@@ -81,7 +81,7 @@ jobs:
 
   c-sanity:
     name: "C Code sanity"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     env:
       CFLAGS: "-Werror"
     steps:
@@ -122,7 +122,7 @@ jobs:
 
   go-tests:
     name: "Go: Tests"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     strategy:
       fail-fast: false
       matrix:
@@ -257,13 +257,11 @@ jobs:
           echo "Running PAM integration tests"
           pushd ./pam/integration-tests
           go test -asan -gcflags=all="${GO_GC_FLAGS}" -c
-          # FIXME: Suppression may be removed with newer libpam, as the one we ship in ubuntu as some leaks
-          LSAN_OPTIONS=suppressions=$(pwd)/lsan.supp \
-            go tool test2json -p pam/integrations-test ./integration-tests.test \
-              -test.v=test2json \
-              -test.timeout ${GO_TESTS_TIMEOUT} | \
-            gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \
-            exit_code=$?
+          go tool test2json -p pam/integrations-test ./integration-tests.test \
+            -test.v=test2json \
+            -test.timeout ${GO_TESTS_TIMEOUT} | \
+          gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \
+          exit_code=$?
           popd
 
           # We don't need the xtrace output after this point

pam/integration-tests/cli_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/msteinert/pam/v2"
 	"github.com/stretchr/testify/require"
+	"github.com/ubuntu/authd"
 	"github.com/ubuntu/authd/internal/testutils"
 	localgroupstestutils "github.com/ubuntu/authd/internal/users/localgroups/testutils"
 	"github.com/ubuntu/authd/pam/internal/pam_test"
@@ -57,31 +58,31 @@ func TestCLIAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with qr code in a TTY": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty",
 				Term:    "linux",
 			},
 		},
 		"Authenticate user with qr code in a TTY session": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty-session",
 				Term:    "xterm-256color", SessionType: "tty",
 			},
 		},
 		"Authenticate user with qr code in screen": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-screen",
 				Term:    "screen",
 			},
 		},
 		"Authenticate user with qr code after many regenerations": {
 			tape:         "qr_code_quick_regenerate",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 		},
 		"Authenticate user and reset password while enforcing policy": {
 			tape: "mandatory_password_reset",
@@ -177,6 +178,8 @@ func TestCLIAuthenticate(t *testing.T) {
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
 
 			localgroupstestutils.RequireGPasswdOutput(t, gpasswdOutput, testutils.GoldenPath(t)+".gpasswd_out")
+
+			requireRunnerResultForUser(t, authd.SessionMode_AUTH, tc.clientOptions.PamUser, got)
 		})
 	}
 }
@@ -260,6 +263,8 @@ func TestCLIChangeAuthTok(t *testing.T) {
 			got := td.ExpectedOutput(t, outDir)
 			want := testutils.LoadWithUpdateFromGolden(t, got)
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
+
+			requireRunnerResult(t, authd.SessionMode_PASSWD, got)
 		})
 	}
 }

pam/integration-tests/native_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"github.com/ubuntu/authd"
 	"github.com/ubuntu/authd/internal/testutils"
 	localgroupstestutils "github.com/ubuntu/authd/internal/users/localgroups/testutils"
 	"github.com/ubuntu/authd/pam/internal/pam_test"
@@ -34,6 +35,7 @@ func TestNativeAuthenticate(t *testing.T) {
 		clientOptions      clientOptions
 		currentUserNotRoot bool
 		wantLocalGroups    bool
+		skipRunnerCheck    bool
 	}{
 		"Authenticate user successfully": {
 			tape:          "simple_auth",
@@ -44,23 +46,23 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with mfa": {
 			tape:          "mfa_auth",
-			tapeSettings:  []tapeSetting{{vhsHeight, 800}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 1000}},
 			clientOptions: clientOptions{PamUser: "user-mfa-integration-auth"},
 		},
 		"Authenticate user with form mode with button": {
 			tape:          "form_with_button",
-			tapeSettings:  []tapeSetting{{vhsHeight, 600}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 700}},
 			clientOptions: clientOptions{PamUser: "user-integration-form-w-button"},
 		},
 		"Authenticate user with qr code": {
 			tape:          "qr_code",
-			tapeSettings:  []tapeSetting{{vhsHeight, 2300}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 3000}},
 			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{PamUser: "user-integration-qr-code"},
 		},
 		"Authenticate user with qr code in a TTY": {
 			tape:          "qr_code",
-			tapeSettings:  []tapeSetting{{vhsHeight, 3700}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 4000}},
 			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty",
@@ -69,7 +71,7 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with qr code in a TTY session": {
 			tape:          "qr_code",
-			tapeSettings:  []tapeSetting{{vhsHeight, 3700}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 4000}},
 			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty-session",
@@ -78,7 +80,7 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with qr code in screen": {
 			tape:          "qr_code",
-			tapeSettings:  []tapeSetting{{vhsHeight, 3700}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 4000}},
 			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-screen",
@@ -236,8 +238,9 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		// FIXME: While this works now, it requires proper handling via signal_fd
 		"Exit authd if user sigints": {
-			tape:          "sigint",
-			clientOptions: clientOptions{PamUser: "user-integration-sigint"},
+			tape:            "sigint",
+			clientOptions:   clientOptions{PamUser: "user-integration-sigint"},
+			skipRunnerCheck: true,
 		},
 	}
 	for name, tc := range tests {
@@ -277,6 +280,10 @@ func TestNativeAuthenticate(t *testing.T) {
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
 
 			localgroupstestutils.RequireGPasswdOutput(t, gpasswdOutput, testutils.GoldenPath(t)+".gpasswd_out")
+
+			if !tc.skipRunnerCheck {
+				requireRunnerResultForUser(t, authd.SessionMode_AUTH, tc.clientOptions.PamUser, got)
+			}
 		})
 	}
 }
@@ -298,6 +305,7 @@ func TestNativeChangeAuthTok(t *testing.T) {
 		tapeVariables map[string]string
 
 		currentUserNotRoot bool
+		skipRunnerCheck    bool
 	}{
 		"Change password successfully and authenticate with new one": {
 			tape: "passwd_simple",
@@ -312,7 +320,7 @@ func TestNativeChangeAuthTok(t *testing.T) {
 
 		"Retry if new password is rejected by broker": {
 			tape:         "passwd_rejected",
-			tapeSettings: []tapeSetting{{vhsHeight, 700}},
+			tapeSettings: []tapeSetting{{vhsHeight, 1000}},
 		},
 		"Retry if new password is same of previous": {
 			tape: "passwd_not_changed",
@@ -341,7 +349,8 @@ func TestNativeChangeAuthTok(t *testing.T) {
 		},
 		// FIXME: While this works now, it requires proper handling via signal_fd
 		"Exit authd if user sigints": {
-			tape: "passwd_sigint",
+			tape:            "passwd_sigint",
+			skipRunnerCheck: true,
 		},
 	}
 	for name, tc := range tests {
@@ -365,6 +374,10 @@ func TestNativeChangeAuthTok(t *testing.T) {
 			got := td.ExpectedOutput(t, outDir)
 			want := testutils.LoadWithUpdateFromGolden(t, got)
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
+
+			if !tc.skipRunnerCheck {
+				requireRunnerResult(t, authd.SessionMode_PASSWD, got)
+			}
 		})
 	}
 }

pam/integration-tests/ssh_test.go

@@ -48,9 +48,9 @@ func testSSHAuthenticate(t *testing.T, sharedSSHd bool) {
 		t.Skip("Skipping tests with external dependencies as requested")
 	}
 
-	if uv := getUbuntuVersion(t); uv == 0 || uv >= 2404 {
+	if uv := getUbuntuVersion(t); uv == 0 || uv < 2404 {
 		require.Empty(t, os.Getenv("GITHUB_REPOSITORY"),
-			"Golden files needs to be updated to ensure CI runs on Ubuntu %v")
+			"Golden files need to be updated to run tests on Ubuntu %v", uv)
 		t.Skipf("Skipping SSH tests since they require new golden files for Ubuntu %v", uv)
 	}
 

pam/integration-tests/testdata/TestCLIAuthenticate/golden/authenticate_user_and_add_it_to_local_group

@@ -19,12 +19,20 @@ Gimme your password
 > ********
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
-PAM Authenticate() for user "user-local-groups" exited with success
-PAM AcctMgmt() exited with success
+PAM Authenticate()
+  User: "user-local-groups"
+  Result: success
+PAM AcctMgmt()
+  User: "user-local-groups"
+  Result: success
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
-PAM Authenticate() for user "user-local-groups" exited with success
-PAM AcctMgmt() exited with success
+PAM Authenticate()
+  User: "user-local-groups"
+  Result: success
+PAM AcctMgmt()
+  User: "user-local-groups"
+  Result: success
 >
 ────────────────────────────────────────────────────────────────────────────────

pam/integration-tests/testdata/TestCLIAuthenticate/golden/authenticate_user_and_offer_password_reset

@@ -35,12 +35,20 @@ New password:
   [ Skip ]
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
-PAM Authenticate() for user "user-can-reset" exited with success
-PAM AcctMgmt() exited with success
+PAM Authenticate()
+  User: "user-can-reset"
+  Result: success
+PAM AcctMgmt()
+  User: "user-can-reset"
+  Result: success
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
-PAM Authenticate() for user "user-can-reset" exited with success
-PAM AcctMgmt() exited with success
+PAM Authenticate()
+  User: "user-can-reset"
+  Result: success
+PAM AcctMgmt()
+  User: "user-can-reset"
+  Result: success
 >
 ────────────────────────────────────────────────────────────────────────────────

pam/integration-tests/testdata/TestCLIAuthenticate/golden/authenticate_user_and_reset_password_while_enforcing_policy

@@ -39,12 +39,20 @@ Confirm password:
 > *********
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
-PAM Authenticate() for user "user-needs-reset-integration-mandatory" exited with success
-PAM AcctMgmt() exited with success
+PAM Authenticate()
+  User: "user-needs-reset-integration-mandatory"
+  Result: success
+PAM AcctMgmt()
+  User: "user-needs-reset-integration-mandatory"
+  Result: success
 >
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
-PAM Authenticate() for user "user-needs-reset-integration-mandatory" exited with success
-PAM AcctMgmt() exited with success
+PAM Authenticate()
+  User: "user-needs-reset-integration-mandatory"
+  Result: success
+PAM AcctMgmt()
+  User: "user-needs-reset-integration-mandatory"
+  Result: success
 >
 ────────────────────────────────────────────────────────────────────────────────